GDPR for apps is under growing regulatory scrutiny as the ICO steps up its enforcement around how mobile applications collect and use personal data.
With apps often handling sensitive information, from health and finance to location and behavioural data, developers must treat privacy as a built-in feature, not an afterthought. The ICO’s guidance emphasises the importance of transparency, consent, and robust security throughout the entire development lifecycle. Our data protection solicitors support app developers in embedding privacy by design, ensuring your app meets legal standards while building trust and mitigating risk.
Contents:
ICO reminds app developers to prioritise privacy
After investigating period- and fertility-tracking apps and assessing how they process personal data, the ICO issued guidance for app developers urging them to prioritise privacy and be more transparent with users:
‘Signing up to an app often involves handing over large amounts of personal information, especially with apps that support our health and wellbeing. Users deserve peace of mind that their data is secure, and they are only expected to share information that is necessary. When we announced we were looking into period and fertility apps, we received a helpful response from users who were able to share their experiences with us. We want to reassure users that we haven’t found any evidence these apps are using their data in a way that could cause them harm. However, our review has highlighted there are improvements app developers could make to ensure they are meeting all their obligations to be transparent with their users and keep their data safe.’ - Emily Keaney, ICO’s Deputy Commissioner of Regulatory Policy.
What are the key GDPR concerns for apps?
In a technology-driven world filled with mobile apps, developers have access to vast amounts of personal data every day. This entails a range of obligations under the UK General Data Protection Regulation (UK GDPR), which outlines stringent rules and requirements that app developers must adhere to when processing user personal data collected through their apps.
Apps across various categories, such as social media, news, fitness, and those that facilitate the purchase of goods or services, collect a wide range of personal data from their users. This data may include:
- Basic personal information: Names, email addresses, phone numbers, and birthdates.
- Financial data: Bank account details, credit and debit card information, and transaction history.
- Location data: GPS coordinates, IP addresses, and other location-based information.
- Technical data: Device information, browser type, operating system, and unique device identifiers.
- Usage data: App interactions, preferences, and behaviour patterns.
Much of this data is collected through cookies and other tracking technologies deployed on users' devices, allowing apps to gather valuable insights into user behaviour and preferences.
App developers must be transparent about the types of data they collect (including via privacy policies), obtain necessary consents, and implement appropriate security measures to protect users' personal information.
The UK Information Commissioner’s Office (ICO) urges all app developers to embed privacy considerations into the design process itself (so-called ‘privacy by design’), rather than treating it as an afterthought. This proactive approach reflects the principle of data protection by design and default, which requires privacy to be an integral part of systems and services.
How can app developers comply with GDPR obligations?
Compliance with data protection laws is mandatory, and developers must first familiarise themselves with the relevant data protection laws and then ensure compliance with them. Developers need to integrate appropriate practices into the initial development phase and throughout the entire app life cycle, including subsequent version releases. By doing so, developers will not only comply with their legal obligations, but also build trust with their users. Privacy is not just a legal obligation but also a key factor in maintaining user confidence and loyalty in our digital age.
If you are developing a new app that relies on user registrations or otherwise collects personal data, it is crucial to consider privacy and data protection from the outset. The ICO has provided key questions that you and your app development team should address during the design phase to ensure compliance with data protection laws:
- Do you offer a comprehensive privacy policy? Apps must display a clear and comprehensive privacy policy detailing how personal data is collected, processed, and stored on them. The privacy policy should be easily accessible to users and written in plain language. Getting your policy right can be particularly challenging for certain apps, such as those aimed at children. Privacy policies must be fully compliant with the UK GDPR, and this often requires a range of details to be disclosed to users. Our article ‘Privacy policies for iOS apps’ looks at what you need to consider when submitting new apps or app updates to Apple’s App Store.
- Have you considered your lawful basis for processing? Developers must consider and document a valid and lawful basis for processing user data, which may include consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests. Each processing activity must be justified under one of these lawful bases.
- Do you have an appropriate consent mechanism? App developers must implement robust mechanisms for obtaining user consent before collecting or processing personal data where consent is the lawful basis for the collection and processing of that personal data. Consent should be freely given, specific, informed, and unambiguous, and users must be able to withdraw consent at any time.
- How will you minimise personal data? Apps should collect only the personal data necessary for their intended purpose and refrain from collecting excessive or irrelevant personal data. Adopting a data minimisation approach not only ensures compliance with your legal obligations but also helps mitigate privacy risks and enhance user trust.
- Do you have appropriate data security measures in place? Implementing strong security measures is crucial to safeguarding personal data against unauthorised access, disclosure, alteration, or destruction. For instance, measures such as encryption, access controls, and regular security assessments are essential components of your security strategy, particularly given the high volumes of data that apps hold.
- Have you published a cookie policy? In addition to the UK GDPR rules, compliance with the Privacy and Electronic Communications (PECR) is also vital. Developers must also comply with PECR rules on cookies and tracking technologies, particularly if their app utilises cookies or similar tools for analytics or advertising purposes. Mobile apps commonly use cookies, requiring informed consent from users. Apps must provide transparent information about cookies and how users can control them. Before installing the app, users must have access to a cookie policy that explains the types of cookies used and provides choices allowing them to manage their preferences, as well as a compliant consent mechanism.
Why does GDPR matter for app developers?
Compliance with UK GDPR is not merely a legal obligation for app developers. It is a fundamental practice for fostering trust, transparency, and accountability with users. By prioritising user privacy and adhering to best practices, app developers can demonstrate their commitment to compliance with data protection laws while delivering responsible and user-friendly app experiences.
As the ICO continues to focus on app data collection and privacy issues, app developers must remain vigilant and proactive in their efforts to ensure compliance. The ICO's commitment to publishing more guidance for app users underscores the high priority placed on protecting user privacy in the mobile app space. App developers should closely monitor these developments and seek guidance from data protection solicitors if necessary, to ensure that their practices align with the latest regulatory expectations set by the ICO.
